SplunkPy: use expandtoken in mirroring query (#34840)

* use expandtoken * expand token in mirror * update docker
demisto · Jun 20, 2024 · 6b3e067 · 6b3e067
1 parent e0332f3
commit 6b3e067
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py
@@ -1527,7 +1527,8 @@ def get_remote_data_command(service: client.Service, args: dict,
              f'| where rule_id="{notable_id}" ' \
              f'| where last_modified_timestamp>{last_update_splunk_timestamp} ' \
              '| fields - time ' \
-             '| map search=" search `notable_by_id($rule_id$)`"'
+             '| map search=" search `notable_by_id($rule_id$)`"' \
+             '| expandtoken'
 
     demisto.debug(f'Performing get-remote-data command with query: {search}')
 

diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml
@@ -673,7 +673,7 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.91477
+  dockerimage: demisto/splunksdk-py3:1.0.0.98420
   isfetch: true
   ismappable: true
   isremotesyncin: true

diff --git a/Packs/SplunkPy/ReleaseNotes/3_1_30.md b/Packs/SplunkPy/ReleaseNotes/3_1_30.md
@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SplunkPy
+
+- Fixed an issue where in the mirror-in, fields value was changed to a non expanded token value
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.98420*.
diff --git a/Packs/SplunkPy/pack_metadata.json b/Packs/SplunkPy/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.1.29",
+    "currentVersion": "3.1.30",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",